b'                  U.S. Department of Energy\n                  Office of Inspector General\n                  Office of Audits and Inspections\n\n\n\n\nAUDIT REPORT\nThe Department of Energy\'s Implementation\nof Voice over Internet Protocol\nTelecommunications Networks\n\n\n\n\n DOE/IG-0915                         June 2014\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n\n                                          June 26, 2014\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The Department of Energy\'s\n                         Implementation of Voice over Internet Protocol Telecommunications\n                         Networks"\n\nBACKGROUND\n\nAdvancements in the telecommunications industry have created the ability to consolidate\nresources and minimize the continued environmental impact of maintaining facilities to sustain\nlines of communication. For example, the use of Voice over Internet Protocol (VoIP) allows the\ntransmission of voice communications primarily over the internet and reduces reliance on the\npublic switched telephone networks that have historically been used. According to various\nindustry authorities, the ability to transfer data and voice over a single network can reduce\noperating costs associated with traditional communications networks that separated data and\nvoice because organizations no longer need to manage and support two networks. Additional\nsavings can be realized through consolidation of larger, traditional landline systems because\nVoIP networks are not bound by geographic limitations. As such, high capacity networks can be\ndeployed and provide telecommunications services to users in other areas or regions, potentially\neliminating a significant portion of long distance charges.\n\nThe Department of Energy initiated and/or completed implementation of VoIP networks at more\nthan 14 locations at a cost of over $56 million. While this technology potentially provides many\nbenefits, it also presents additional security risks. The most serious threat to VoIP systems is an\nattack that results in massive increases in network traffic that can render a system inoperable.\nBecause of the number of ongoing VoIP efforts and substantial costs involved, we initiated this\naudit to determine whether the Department planned and implemented its VoIP\ntelecommunications networks in an efficient and secure manner.\n\nRESULTS OF AUDIT\n\nOur review identified opportunities to improve the efficiency and enhance cybersecurity of the\nDepartment\'s VoIP networks. In particular, we found:\n\n   \xe2\x80\xa2   When upgrading aging telecommunications systems, programs and sites had undertaken a\n       number of separate VoIP network implementations, a practice that potentially resulted in\n       duplicative capabilities. For example, four sites at the Oak Ridge Reservation\n       independently implemented separate VoIP networks or had performed pilot projects to\n\x0c       implement new networks. In addition, we observed planning and coordination\n       weaknesses at Headquarters, the Hanford Site and the Pacific Northwest National\n       Laboratory.\n\n   \xe2\x80\xa2   Programs and sites had not always applied required cybersecurity controls to VoIP\n       networks, thus increasing the risk of compromise. Contrary to Federal requirements,\n       seven of the nine sites we reviewed had conducted limited or no vulnerability scanning\n       and penetration testing on installed VoIP systems. We also identified weaknesses related\n       to incomplete and/or untested contingency plans and failure to conduct or document the\n       completion of periodic security control assessments.\n\nThe issues identified occurred, in part, because the Department had not developed and\nimplemented a coordinated approach to support the implementation of VoIP efforts. Had the\nDepartment done so, the number of separate efforts undertaken likely could have been reduced\nand more effectively managed. We found that coordination between programs and sites that\nwere implementing VoIP systems could have potentially decreased the more than $56 million in\nestimated implementation costs. For instance, programs and sites could have worked with one\nanother to ensure that common VoIP resources such as hardware, support services and licensing\ncosts were shared, as appropriate. The Department also had not adequately monitored the\nimplementation of cybersecurity controls for VoIP systems. As an example, site office officials\nhad not performed assessments of contractor VoIP network security at most of the sites\nreviewed.\n\nWithout improvements, the duplicative and fragmented VoIP implementation approach that we\nidentified could continue unabated and result in additional, unnecessary expenditures of resources at\nprograms and/or sites that have not yet upgraded to VoIP systems. In addition, the Pacific\nNorthwest National Laboratory spent approximately $1 million to implement a system without\nadequately considering alternatives, a decision which ultimately resulted in additional expenditures.\nFurthermore, the Department\'s information systems and networks will be at increased risk of\ncompromise if cybersecurity controls are not appropriately identified and implemented.\n\nNotably, many of the programs and sites reviewed had proactively acknowledged that existing\ntelecommunications systems such as older hard-wired phone systems were nearing end-of-life and\nwere in need of upgrade to continue to meet mission needs. We acknowledge that upgrading to a\nVoIP solution is likely to improve the Department\'s telecommunications infrastructure. However,\nthe path the Department is on is not fiscally sustainable or efficient.\n\nAs such, we made serveral recommendations designed to address the issues outlined in our report.\nWe recognize that there are many nuances related to the Department\'s organizational structure\ninvolving Federal and contractor elements that need to be considered. We believe, however, that\nimprovements are possible and that our recommendations, if fully implemented, should help the\nDepartment manage the implementation of this technology in a more efficient and secure manner.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that corrective actions\nhad been taken related to the Department\'s ongoing VoIP efforts. Our review of management\'s\n                                                2\n\x0ctechnical comments identified that additional work is necessary. Management\'s formal\ncomments are included in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary for Nuclear Security\n    Deputy Under Secretary for Science and Energy\n    Deputy Under Secretary for Management and Performance\n    Chief of Staff\n    Chief Information Officer\n\n\n\n\n                                              3\n\x0cAUDIT REPORT ON THE DEPARTMENT OF ENERGY\'S\nIMPLEMENTATION OF VOICE OVER INTERNET PROTOCOL\nTELECOMMUNICATIONS NETWORKS\n\n\nTABLE OF CONTENTS\n\nAudit Report\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................6\n\nManagement Response and Auditor Comments ..............................................................................7\n\nAppendices\n\n     1. Objective, Scope and Methodology .....................................................................................8\n\n     2. Prior Reports ......................................................................................................................10\n\n     3. Management Comments ....................................................................................................11\n\x0cTHE DEPARTMENT OF ENERGY\'S IMPLEMENTATION OF\nVOICE OVER INTERNET PROTOCOL TELECOMMUNICATIONS\nNETWORKS\n\nDETAILS OF FINDING\nThe Department of Energy (Department) had not always planned and managed its\nimplementation of Voice over Internet Protocol (VoIP) telecommunications networks in an\nefficient and secure manner. In particular, the Department had undertaken separate, potentially\nduplicative implementations of VoIP networks. Furthermore, cybersecurity controls intended to\nprotect VoIP networks were not always appropriately implemented at all programs and sites\nreviewed.\n\nVoIP Implementation\n\nWhen upgrading aging telecommunications systems, the Department deployed separate,\npotentially duplicative VoIP networks. At the time of our audit, more than 14 locations had\ninitiated and/or completed separate VoIP efforts costing in excess of $56 million for the\nacquisition of resources, including hardware, support services and licensing costs. In particular:\n\n   \xe2\x80\xa2   Four sites reviewed at the Oak Ridge Reservation either had separate VoIP networks in\n       place or had performed pilot projects to implement new networks. For instance, the Oak\n       Ridge Office (ORO) had initiated a project to replace its landline telephone system with a\n       VoIP solution through the Office of Science\'s (Science) Information Technology\n       Modernization Plan which, when completed, will provide updated telecommunications\n       services to Federal employees throughout Science. While ORO officials noted that this\n       system had been implemented with the capacity to allow for expansion to include the\n       other sites on the Oak Ridge Reservation, we found that other sites were independently\n       carrying out their own VoIP activities. Specifically, Oak Ridge Associated Universities\n       officials confirmed that their separate service provider-managed VoIP system was\n       operational, and the East Tennessee Technology Park spent $21,000 on a VoIP pilot\n       project in 2008 with the support of ORO but discontinued the effort after 24 months due\n       to a lack of financial feasibility. In addition, the Oak Ridge National Laboratory began a\n       separate project in 2011 to provide VoIP services to that site. Officials also told us that\n       future phases of the Science VoIP initiative will expand ORO\'s network to provide\n       telecommunications services to Federal employees at other site offices and Headquarters.\n       However, this effort is potentially duplicative of services that may already be available at\n       those sites, including the Office of the Chief Information Officer\'s (OCIO) VoIP network\n       at Headquarters.\n\n   \xe2\x80\xa2   Other sites had split existing telecommunications systems to implement separate VoIP\n       networks. For example, even though they are located in the same geographic area, the\n       Pacific Northwest National Laboratory (PNNL) and the Hanford Site (Hanford) each\n       implemented or were implementing separate VoIP networks. Prior to 2007, certain\n       buildings at PNNL were connected to the Hanford phone system. According to Hanford\n       officials, when the site was planning its VoIP deployment, it invited PNNL to join;\n       however, officials stated that PNNL declined. PNNL officials commented that,\n       subsequent to 2007, the site decided to implement its own VoIP network because it\n\n\nDetails of Finding                                                                         Page 1\n\x0c         believed that moving to its own system permitted process improvements that better\n         achieved objectives related to functional capacity, security, reliability and operational\n         cost requirements. However, much, if not all, of what PNNL hoped to achieve could\n         have been accomplished by consolidating its needs with the Hanford and implementing a\n         joint VoIP network, thus avoiding duplicative efforts. The Hanford system was able to\n         support approximately 22,000 lines of services \xe2\x80\x93 only about half of which were being\n         used. The PNNL VoIP system was estimated to provide up to 7,000 lines of service.\n         Proposed funding for the new PNNL network totaled approximately $2.8 million, while\n         the Hanford VoIP initiative was completed at just under $7 million. Office of\n         Environmental Management officials noted that the capacity of the Hanford VoIP\n         network was designed for future growth to accommodate other Office of Environmental\n         Management sites. While we agree with management\'s statement, we continue to\n         maintain that additional capacity could have been used to meet PNNL\'s needs had the\n         sites better coordinated.\n\n         In addition, PNNL expended significant resources to perform a partial system\n         implementation even though a more cost effective alternative had been identified. The\n         expenditures may have been avoidable had the recommendations of a site commissioned\n         alternatives analysis been implemented. That analysis recommended that PNNL continue\n         with its then-current solution for a period of time to allow the VoIP technology and\n         markets to mature. However, officials chose to implement a limited 1,200 line system at\n         a cost of approximately $1 million. Site officials have since chosen what they believe to\n         be a more cost effective solution that added almost 6,000 lines at a cost of $1.8 million.\n         Even though the analysis conducted for PNNL recommended that postponing the\n         development of a VoIP network was the most cost effective solution, the Federal site\n         office did not question PNNL\'s decision to proceed with its implementation.\n\nCybersecurity Controls\n\nSites had not always applied all required technical cybersecurity controls to VoIP networks.\nContrary to security requirements issued by the National Institute of Standards and\nTechnology, only limited vulnerability scanning and penetration testing was performed on the\ninstalled VoIP systems at seven of nine sites reviewed. VoIP networks are subject to the same\nsecurity weaknesses that can affect the confidentiality, integrity and availability of data\nnetworks. Additionally, VoIP networks can provide additional threat vectors for traditional\nexploits and malware through the significant increase in network internet protocol addresses.\nAs such, the timely identification and remediation of vulnerabilities that could cause attacks\nsuch as Denial of Service 1 within the network is imperative to ensure continued service.\n\nOur testing also revealed a number of issues related to process-oriented general security\ncontrols that could increase the risk of compromise to the telecommunications networks and\nother interconnected information systems. In particular, contingency plans had not always\nbeen fully developed and tested on the VoIP system reviewed at PNNL, and the OCIO could\n\n1\n A Denial of Service attack is an incident in which a user or organization is deprived of network services such as\ne-mail or VoIP, usually through an overload of network traffic to an internet protocol address.\n\nDetails of Finding                                                                                          Page 2\n\x0cnot provide documentation demonstrating that contingency plans had been tested on a regular\nbasis. Although PNNL officials noted that they had completed a disaster recovery plan, we\nfound that the plan did not address the recovery of the site\'s VoIP system in the event of a loss\nof availability. As required by the National Institute of Standards and Technology,\ninformation system owners should develop, test and revise contingency plans on a regular\nbasis as part of maintaining a system\'s operation.\n\nFurthermore, two of nine sites reviewed did not perform required security control assessments.\nSpecifically, PNNL and Oak Ridge National Laboratory did not perform or could not provide\ndocumentation to support that security assessments had been performed on a periodic basis.\nPeriodic security assessments allow programs and sites to address changing security\nrequirements, emerging threats, vulnerabilities, attack methods and the availability of new\ntechnologies. PNNL officials noted that they assessed the risks associated with VoIP systems.\nHowever, our review of PNNL\'s system security plan determined that the document did not\ninclude information about which National Institute of Standards and Technology controls were\nimplemented on the network or provide assurance that such controls were tested and operating\nas intended.\n\nManagement of Telecommunications Infrastructure\n\nThe issues identified occurred, in part, because the Department had not ensured a coordinated\nand well-communicated approach related to the implementation of VoIP systems. In addition, a\nlack of effective monitoring of the various program/site level initiatives adversely impacted the\nDepartment\'s ability to ensure efficient and effective implementation of VoIP systems and\ncorresponding cybersecurity controls.\n\n                                 Coordination and Planning\n\nDepartment officials had not always ensured that a coordinated and well-communicated\napproach was executed during the implementation of VoIP networks. As such, many sites had\nundertaken ad-hoc VoIP implementation initiatives without consistent direction or appropriate\ncoordination. For instance, even though the Department\'s OCIO was implementing a VoIP\nsystem at Headquarters, Science planned to establish its own capabilities through the Science\nVoIP initiative. Had the numerous ongoing projects been fully coordinated, the Department\nwould have had the opportunity to perform appropriate studies and likely have been able to\ncoordinate system implementations in a more cost effective and efficient manner. Absent\neffective coordination, one of the key advantages of VoIP was diminished \xe2\x80\x93 cost reduction\nthrough scalability. Specifically, coordination between programs and sites that were\nimplementing VoIP could have potentially decreased the more than $56 million in estimated\nimplementation costs and helped ensure that common VoIP resources such as hardware, support\nservices and licensing costs were shared, as appropriate. Although Science officials commented\nthat the program\'s Information Technology Modernization Plan would help ensure coordination\nof VoIP efforts, we noted that the plan was limited to Federal elements and did not include\noperating contractors.\n\nA lack of planning also contributed to the implementation issues that were identified. In\nparticular, while Science had outlined a three-phased approach to providing VoIP services to its\n\nDetails of Finding                                                                          Page 3\n\x0cFederal employees, officials had not completed planning activities for efforts beyond the first\nphase, which was underway at ORO. As such, Science officials could not provide cost estimates\nfor future efforts and had not fully considered the potential duplication issues we identified\nbetween the national laboratories and site offices. In addition, PNNL had not followed the\nrecommendation of an alternatives analysis it commissioned which identified a more cost\neffective solution to its initial VoIP implementation.\n\nIn technical comments on our report, management stated that it had drafted an Information\nResource Management Strategic Plan and planned to implement VoIP capabilities to all of the\nOCIO\'s current customers at Headquarters. While this is an encouraging first step, it may not\nfully address the issues identified during the audit because the scope of the planned efforts did\nnot include Headquarters programs that were not current OCIO customers or any of the\nDepartment\'s field elements. In addition, technical comments from the Department\'s various\nprograms generally did not provide evidence demonstrating increased cooperation across the\nDepartment.\n\n                                   Performance Monitoring\n\nThe Department had not adequately monitored the implementation of VoIP efforts or related\ncybersecurity controls. In particular, neither the OCIO nor program offices had conducted an\nadequate review or evaluation of the various VoIP implementations being undertaken.\nMonitoring and oversight of VoIP projects should have begun early in the process and could\nhave allowed the Department to fully evaluate the benefits and need for VoIP networks. To date,\nthe Department has yet to assign oversight responsibility for VoIP implementation to any\ncentralized authority, such as the OCIO or a related information technology council.\n\nWe also found that the Department had not adequately monitored the implementation of\ncybersecurity controls for VoIP systems. Programs left the interpretation and implementation of\ncybersecurity controls up to site offices. However, we found that certain site offices had not\nadequately monitored the development and implementation of these controls. Specifically, site\noffice officials had not ensured that performance assessments of VoIP network security had\noccurred at most of the sites reviewed. As a result of the lack of monitoring and/or guidance\nrelated to VoIP implementation, cybersecurity controls were not consistently applied or not\napplied at all across the Department and resulted in increased risks to systems and networks.\n\nIn response to our report, management indicated that efforts were underway to strengthen its\nperformance monitoring program. For instance, the National Nuclear Security Administration\nindicated that VoIP networks will be included in various cybersecurity surveys and reviews and\nnoted that it will reemphasize the need to ensure adequate security over VoIP systems. In\naddition, Science commented that it ensured effective performance monitoring related to\ncybersecurity as part of implementing and monitoring the VoIP controls recommended by\nFederal guidance and that VoIP controls are monitored through the results of independent\nsurveys conducted by the Department\'s Office of Cyber Assessments. However, we learned\nthrough discussions with Office of Cyber Assessments personnel that VoIP systems at Science\nlocations have not been tested. Ensuring that VoIP systems are within the scope of assessments\ncan be a valuable management tool and further enhance performance monitoring activities.\n\n\n\nDetails of Finding                                                                          Page 4\n\x0cOpportunities for Improvement\n\nWithout improvements in coordination, planning and ensuring effective performance\nmonitoring, the Department will continue to implement a duplicative, decentralized and\nfragmented approach for managing VoIP systems. Had the Department examined and\nidentified opportunities for consolidation of its multiple VoIP networks, it may have realized\nsignificant savings related to the implementation and support of its voice networks. For\nexample, had the Department fully assessed its enterprise-wide telecommunications needs and\nappropriately coordinated and consolidated its efforts to the extent practical, it could have\npotentially reduced the $56 million spent on VoIP efforts. Enhanced performance monitoring\nof ongoing and future VoIP network implementations could also reduce expenditures. We\nnoted that PNNL spent almost $1 million on its initial VoIP implementation. However,\nofficials stated that after installing a solution that supported over 1,200 lines of service, the\nexpansion of that project was halted to review another solution that they believed would be\nmore cost effective \xe2\x80\x93 a solution that will provide almost 6,000 lines of service at a cost of $1.8\nmillion. Going forward, effective coordination, monitoring and consolidation could save the\nDepartment significant amounts of increasingly scarce funds. Furthermore, lack of effective\nperformance monitoring by programs and sites to appropriately identify and implement cyber\nsecurity controls may increase the risk of compromise to information systems and networks.\n\nAs noted in the Department\'s recently developed Information Technology Modernization\nStrategy, it must seek opportunities to improve efficiency and reduce the cost of services. This\nstrategy jointly tasks the Department\'s and National Nuclear Security Administration\'s Chief\nInformation Officers with modernizing the information technology environment and\nidentifying opportunities to share services, reduce costs and leverage new technologies. The\ncorrective actions recommended in this report can help remediate the issues identified during\nour audit and facilitate the Department\'s implementation of its Information Technology\nModernization Strategy as it begins examining alternatives for unified communications such as\nintegration of instant messaging, web and video conferencing, voice, e-mail and calendaring.\n\nNotably, some Department sites realized savings through the implementation of VoIP networks.\nHanford reported that it realized savings of approximately $2 million per year through its VoIP\nimplementation. These savings resulted from lowered operational costs related to reducing\noverall power consumption and reduced maintenance and labor costs. Officials at Los Alamos\nNational Laboratory stated that they had realized similar savings.\n\n\n\n\nDetails of Finding                                                                          Page 5\n\x0cRECOMMENDATIONS\nTo more effectively manage its Voice over Internet Protocol telecommunications networks in an\nefficient and secure manner, we recommend that the Under Secretary for Nuclear Security, the\nDeputy Under Secretary for Science and Energy and the Deputy Under Secretary for\nManagement and Performance, in coordination with the Department\'s and National Nuclear\nSecurity Administration\'s Chief Information Officers:\n\n   1. Develop and implement an enterprise-wide telecommunications strategy that leverages\n      existing resources; encourages communication, cooperation and planning by and among\n      programs and sites; and eliminates unnecessary duplication and excess capacity; and\n\n   2. Ensure effective performance monitoring to strengthen cyber security over VoIP systems\n      and networks, including correcting, through the implementation of appropriate controls,\n      the cyber security weaknesses identified in this report.\n\n\n\n\nRecommendations                                                                       Page 6\n\x0cMANAGEMENT RESPONSE\nManagement concurred with the report\'s recommendations and commented that corrective\nactions had been taken and/or initiated. Management commented that the Department\'s\nInformation Resource Management Strategic Plan included language to improve collaboration\nwhen delivering management and technology solutions. Management also indicated that efforts\nwere being made to ensure effective performance monitoring to strengthen cybersecurity over\nVoIP systems and networks. In technical comments, the National Nuclear Security\nAdministration commented that it will evaluate potential enterprise-wide opportunities related to\nVoIP implementation and will reemphasize that VoIP systems must meet Federal cybersecurity\nrequirements. Science management commented that it will work with the OCIO and other\nstakeholders to develop a strategic plan related to VoIP.\n\nAUDITOR COMMENTS\nManagement\'s comments are generally responsive to our recommendations. However, although\nmanagement concurred with the report\'s recommendations and considered corrective actions for\nboth recommendations to be complete, technical comments submitted by various program offices\nrelated to coordination, planning and performance monitoring indicated that additional work is\nnecessary to address the report\'s recommendations. We have addressed management\'s technical\ncomments in the body of the report. Management\'s comments are included in Appendix 3.\n\n\n\n\nManagement Response and Auditor Comments                                                 Page 7\n\x0c                                                                              APPENDIX 1\n\n                   OBJECTIVE, SCOPE AND METHODOLOGY\nObjective\n\nTo determine whether the Department of Energy (Department) planned and implemented its\nVoice over Internet Protocol (VoIP) telecommunications networks in an efficient and secure\nmanner.\n\nScope\n\nWe conducted the audit from November 2012 to June 2014, at Headquarters offices in\nWashington, DC and Germantown, Maryland; Oak Ridge National Laboratory, Y-12 National\nSecurity Complex, East Tennessee Technology Park, Oak Ridge Associated Universities and the\nOak Ridge Office in Oak Ridge, Tennessee; Pacific Northwest National Laboratory, Richland\nOperations Office and the Hanford Site, in Richland, Washington; Los Alamos National\nLaboratory in Los Alamos, New Mexico; and Sandia National Laboratories in Albuquerque,\nNew Mexico. This audit was conducted under Office of Inspector General project number\nA13TG009.\n\nMethodology\n\nTo accomplish the audit objective, we judgmentally selected a sample of 10 Departmental sites.\nThis selection was based on the sites\' implementation of unclassified VoIP networks. Because a\njudgmental sample was used, results are limited to the sites or locations selected. Additionally,\nwe:\n\n   \xe2\x80\xa2   Evaluated the Department\'s policies and procedures regarding the communications\n       equipment;\n\n   \xe2\x80\xa2   Evaluated the costs associated with the Department\'s implementation of VoIP networks;\n\n   \xe2\x80\xa2   Determined whether a risk-based approach had been implemented to assist in the security\n       of communications equipment;\n\n   \xe2\x80\xa2   Evaluated protective measures to determine if both physical and cyber related\n       vulnerabilities had been considered for the Department\'s communications infrastructure;\n\n   \xe2\x80\xa2   Reviewed actions taken to address prior findings and recommendations relevant to this\n       audit area; and\n\n   \xe2\x80\xa2   Identified opportunities for improving the Department\'s management of its unclassified\n       communications resources.\n\nWe conducted this performance audit in accordance with generally accepted Government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\n\n\nObjective, Scope and Methodology                                                          Page 8\n\x0c                                                                              APPENDIX 1\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. Accordingly, we assessed\nsignificant internal controls and the Department\'s implementation of the GPRA Modernization\nAct of 2010 and determined that it had not established performance measures for the\nmanagement of its telecommunications infrastructure. Because our review was limited, it would\nnot have necessarily disclosed all internal control deficiencies that may have existed at the time\nof our evaluation. We did not rely on computer-processed data to satisfy our audit objectives.\n\nManagement waived an exit conference.\n\n\n\n\nObjective, Scope and Methodology                                                          Page 9\n\x0c                                                                               APPENDIX 2\n\n                                     PRIOR REPORTS\n\n\xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2013\n    (DOE/IG-0897, October 2013). The Department of Energy (Department) had taken a\n    number of positive steps over the past year to correct cyber security weaknesses related to its\n    unclassified information systems. In spite of these efforts, our testing revealed various\n    weaknesses related to security reporting, access controls, patch management, system\n    integrity, configuration management, segregation of duties and security management. The\n    weaknesses identified occurred, in part, because Department elements had not ensured that\n    policies and procedures were fully developed and implemented to meet all necessary cyber\n    security requirements. In addition, the Department continued to operate a less than fully\n    effective performance monitoring and risk management program. Absent improvements to\n    its unclassified cyber security program, the Department\'s information and systems will\n    continue to be at a higher than necessary risk of compromise.\n\n\xe2\x80\xa2   Audit Report on Telecommunications Infrastructure (DOE/IG-0537, December 2001). The\n    report identified that duplicative data transmission infrastructures existed across the\n    Departmental complex. Further, the Department had not optimized the acquisition of internet\n    and video services. Specifically, organizations maintained about 190 data transmission\n    circuits that duplicated capabilities of other Department-wide networks; a number of sites\n    utilized open market sources to acquire internet service that could have been provided from\n    existing capacity; and organizations were maintaining video teleconferencing capabilities that\n    were incompatible with corporate networks. These problems occurred because the\n    Department had not developed and implemented a coordinated approach to the acquisition\n    and use of telecommunications equipment and services. Further, the Department had not\n    adopted a comprehensive set of performance measures and incentives which would have\n    encouraged both Federal employees and contractors to obtain necessary telecommunications\n    capabilities as cost effectively as possible. As a consequence, the Department annually\n    spends at least $4 million more than necessary to operate and maintain its\n    telecommunications infrastructure.\n\n\n\n\nPrior Reports                                                                             Page 10\n\x0c                                            APPENDIX 3\n\n                      MANAGEMENT COMMENTS\n\n\n\n\nManagement Comments                              Page 11\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 12\n\x0c                                        FEEDBACK\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We aim to make our reports as responsive as possible and ask you to consider sharing\nyour thoughts with us.\n\nPlease send your comments, suggestions and feedback to OIGReports@hq.doe.gov and include\nyour name, contact information and the report number. Comments may also be mailed to:\n\n                              Office of Inspector General (IG-12)\n                                     Department of Energy\n                                    Washington, DC 20585\n\nIf you want to discuss this report or your comments with a member of the Office of Inspector\nGeneral staff, please contact our office at (202) 253-2162.\n\x0c'